The term Incident Response refers to the processes and policies an organization utilises...
The NIST Framework is the gold standard for cybersecurity in the United States and continues to be the basis for many other standards and regulations. Our previous blog focused on what is the NIST framework and all that it entails.
This blog looks at the NIST framework functions, profiles, and implementation tiers. Below is a breakdown of the five core functions of the NIST Cybersecurity Framework:
Core Function 1: Identify
Businesses need to thoroughly understand their environment to get the most out of the NIST Cybersecurity Framework. Doing this allows them to address and mitigate cybersecurity risks at the data, asset and system levels. This function refers to the ability of the business to evaluate its overall context.
An organization can complete this function by understanding what assets they have in their inventory, how each asset is connected and the roles and responsibilities employees have surrounding each asset. Understanding and evaluating the context of the business can help organizations identify cyber risks and enable them to comply with their risk management strategy.
Here are five key categories of this function:
- Asset management - identifies the key resources used to achieve the core purposes of the business e.g. employees, devices, data, systems and facilities.
- Business Environment - outlines the organization's goals and objectives, mission, key stakeholders and operations
- Governance - Defines the policies, procedures and processes involved in monitoring and managing the businesses legal, risk, regulatory and environmental duties.
- Risk Assessment - evaluating the risks that can affect the organization’s personnel, operations and assets.
- Risk Management Strategy - a breakdown of how the organization wants to tackle that includes risk priorities, tolerances and constraints.
Core Function 2: Protect
Once the organization has finished identifying the possible cyber risks, they need to evaluate how their current policies may help protect them and in which areas the policies can be amended to improve their protection capability. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
An organization can complete this function by understanding how current policies regarding cybersecurity defend the organization against risks and where there are gaps in protection.
Here are six categories of safeguards that ensure delivery of critical infrastructure services:
- Access Control - organizations need to control employee access to data, ensuring that based on roles and responsibilities, employees receive only the required access to data, so that they can perform their duties to the organization.
- Awareness and training - will also help employees understand the company's policies, procedures and requirements regarding information security.
- Data security - managing the sensitive information of the company in accordance to the risk strategy
- Information protection processes & procedures - this involves protecting information assets and systems effectively
- Maintenance - utilising remote maintenance and other maintenance activities to protect resources
- Protective technology - using protective technology to increase the resilience of systems and assets to internal and external threats
Core Function 3: Detect
Detection defines the requisite to identify the occurrence of a cybersecurity event. This function refers to the timely identification of any cyber risk threatening your organization. The speed at which threats can be detected ensures that disruption can be held to a minimum.
Here are the key outcome categories for this core function:
- Anomalies & Events - ensuring that all anomalies and events are discovered as quickly as possible and their potential impact outlined.
- Continuous monitoring - Implementing security continuous monitoring over information and assets ensures that any gaps in security can be filled, also improving the overall effectiveness of security policies and procedures.
- Detection processes - ensuring that detection processes are receiving timely maintenance so that detection of any cyber threat is as quick as possible.
Core Function 4 - Respond
The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. This function refers to the ability of the organization to minimise the negative impact of a cybersecurity breach, to do this effectively a response plan and procedure need to be established well before any threat is detected.
The five categories that make up this function are:
- Response planning - ensuring that the response procedures outlined by the risk management strategy are carried out before and after a potential threat.
- Communications - ensuring that adequate communication processes amongst key internal and external stakeholders are carried out during the incident, thus keeping them informed and not in the dark.
- Analysis - post the incident adequate analysis needs to be carried out so that the impact can be measured and an understanding of what and how the incident occured can be established.
- Mitigation - make sure that appropriate actions to mitigate the impacts of the incident are carried out to resolve it and prevent any ripple effects.
- Improvements - ensuring that the organization can learn and better its response function depending on how the incident was dealt with on this occasion.
Core Function 5 - Recover
The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. This may include recovering data that was lost, restoring the capacities that were damaged and ensuring everything is back to functioning normally.
Here are three key categories of this function:
- Recovery planning - prioritizing which systems and assets need to be fixed first to fast-track the organization’s return to normalcy.
- Improvements - Implementing Improvements based on things learned and reviews of existing cybersecurity strategies
- Communications - in order to recover, proper communication needs to be present between internal and external stakeholders.
Looking to manage your cybersecurity with the NIST framework approach? StickmanCyber's NIST Cybersecurity Framework services deploys a 5-step methodology to bring you a proactive, broad-scale and customised approach to managing cyber risk.